我对这段代码有一个猜测,这里是sql代码
if (select [Password] from People where Id = @uid) is null or (select [Salt] from People where Id = @uid) is null
return 2
declare @pass varbinary(max), @salt varbinary(max)
set @pass= CAST((select [Password] from People where Id= @uid) AS varbinary(max));
set @salt= CAST((select [Salt] from People where Id= @uid) AS varbinary(max));
if (HASHBYTES(''SHA2_512'', (@passw+@salt)) = @pass)
if(cast(getdate() as date) > (select Expires from People where Id= @uid)) return 3 else return 1
else
return 0
我的登录代码是
public static int GetStoredProcedureReturnValue(System.Data.Entity.Database db, string storedprocedure, params object[] parameters) {
SqlParameter returned = new SqlParameter("@retval", SqlDbType.Int) { Direction = ParameterDirection.Output };
string query = "exec @retval = " + storedprocedure;
foreach (SqlParameter sp in parameters) {
query = query + " @" + sp.ParameterName + ", ";
}
query = query.Remove(query.Length - 2);
SqlParameter[] sqlp = new SqlParameter[parameters.Length + 1];
sqlp[0] = returned;
System.Array.Copy(parameters, 0, sqlp, 1, parameters.Length);
db.ExecuteSqlCommand(query, sqlp);
return (int)returned.Value;
}
public int ExecuteSqlCommandAndReturnValue(string storedprocedure, params object[] parameters) {
return GetStoredProcedureReturnValue(Database, storedprocedure, parameters);
}
在另一堂课......
public bool CheckPassword(Object value) {
try {
int i = FixedContext.Instance.ExecuteSqlCommandAndReturnValue("sp_checklogin",
new SqlParameter("uid", Id),
new SqlParameter("passw", CryptoTools.BytesFromSecureString((SecureString)value)));
if (i == 2) {
throw new NewPasswordException();
}
if (i == 3) {
throw new ExpiredPasswordException();
}
return 1 == i;
}
finally {
((SecureString)value).Dispose();
}
}
我想知道这是安全还是更好地直接创建sqlcommand到表。我是sql-client互动的新手,我需要建议...
我尝试使用' Database.ExecuteSqlCommand(...)'来获取返回值。但它不起作用,为什么?